The Data Retention Directive is designed to harmonise the legislation of EU member states concerning the retention of data by telecom service providers and ISPs, which are obliged by the directive to retain such data and make it available to European law enforcement authorities under certain circumstances.

Following court challenges brought by privacy advocates, the High Court in Ireland and the Austrian Constitutional Court referred to the court a number of questions concerning the compatibility of the directive with EU fundamental rights law and, in particular, the EU Charter of Fundamental Rights, which came into force in 2009 before the directive was enacted and prior to the Lisbon framework that strengthened fundamental rights in the EU's constitutional structure. One of the court's advocates-general had already recommended in December 2013 that the directive be invalidated.

Without going into a lot of detail, the court found that the directive allows a disproportionate interference with the rights to privacy and data protection—they are not exactly the same in European law! In particular, it found both flaws in the directive, which led it to conclude that the directive failed to meet the important test of proportionality under EU law. The court did leave some "wiggle room" for a data retention scheme to be structured legally but only under strict conditions.

While the exact implications of the judgment will only become clear in the coming weeks and months, I have the following initial reactions:

First, the judgment emphasises the firm legal foundation for fundamental rights under the framework of the Lisbon Treaty. It will thus strengthen the hand of those—like the European Parliament—who emphasise the key role that fundamental rights play in the proposed GDPR.

Second, the judgment may increase the likelihood of an agreement on the GDPR eventually being reached. Invalidation by the court of a key piece of legislation based solely on fundamental rights grounds may spur institutions engaged in negotiation of the GDPR to realise that the EU cannot continue with a data protection framework enacted in the pre-Lisbon era.

Third, any cooperation between the EU and U.S. regarding the sharing of data for law enforcement purposes just got harder, in particular because of language towards the end of the judgment criticizing the directive for not requiring data retained under it to be stored in the EU. This confirms that the transfer of personal data outside of the EU for law enforcement purposes will be subject to strict legal scrutiny.

Fifth, the case has implications for whatever system of data retention the U.S. may be considering. In a statement released on March 27, President Barack Obama announced that he plans to end the Section 215 bulk telephony metadata program and that such data should instead be retained by telecommunications companies, subject to disclosure to law enforcement authorities based on legal process. While the specific details of how such a system would work have not been released, the broad outlines seem to resemble the system used in the EU Data Retention Directive that has now been invalidated.

Finally, the judgment gives a taste of what is ahead for EU data protection law, namely a tighter control of legislation based on EU fundamental rights principles. This means that final agreement on the GDPR is not just a matter of power politics, but that it must meet EU fundamental rights standards if it is to withstand future court challenges.

Telecoms companies and ISPs that are currently subject to member state legislation implementing the directive will naturally wonder how they should cope with its invalidation. Besides the Data Retention Directive, the EU E-Privacy Directive contains a provision (Article 15) allowing member states to allow data retention for law enforcement purposes. However, it is difficult to imagine that this provision could provide a long-term and stable solution for widespread data retention.

The judgment of the European Court of Justice thus represents a milestone in EU data protection law, both with regard to the fundamental rights standards applicable to the collection and sharing of data for law enforcement purposes and more generally as well.

Tags

2 Comments

It could be that this decision will give EU lawyers something (EU fundamental rights standards) to cite to counter the US lawyers who drone on constantly about the first amendment.

comment
Worried citizen • Apr 12, 2014

The European Union certainly needs a strong law to fully protect their citizens not only against abusive retention of data by service providers and other Internet-based corporations but also against locks established on our public digital footprints by amoral corporations whose business market is our personal information.
I would say the way our digital footprint is publicly exposed by corporations like Google, without allowing us to modify/remve this content, is even worse than abusive data retention by service providers in the sense these public profiles are available to anyone running a web browser while data gathered and retained by service providers is available only to a small set of authorized individuals.
Protection against abusive data retention should include public profiles (what most people would call digital footprints) too. It would be sad if this law is restricted to our navigation habits and other metadata gathered by means of cookies and logs parsing. We truly need a law that protects us not only against abusive data collection by third parties but also allowing us to manage our own digital footprint.

Related Stories

Late May is a good time for privacy regulations to come into effect. Prior to May, short days, cold weather and rain typically keep us indoors anyway, so what better to do than work on data protection? But, after May, it’s helpful to have things mostly in order to allow for more time wandering in an...

There has been no shortage of EU General Data Protection Regulation one-year articles in the last week or two and with reason. It has been a game changer. It has required a lot of sweat and tears (hopefully no blood). And though May 25, 2018, may have ended the "ramping-up period," it "was hardly an...

We know, there's lots of privacy news, guidance and documentation to keep up with every day. And we also know, you're busy doing all the things required of the modern privacy professional. Sure, we distill the latest news and relevant content down in the Daily Dashboard and our weekly regional diges...

On Wednesday, Amazon's shareholders voted to not limit the sale of its Rekognition software to governments and government agencies. Opponents wanted to limit the sale of the technology, citing concerns the impact it could have on civil and human rights, and pushed for stronger oversight as to who co...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.